Various sources report that Intel’s latest x86 chips contain a secret backdoor. SoftPedia cites security expert Damien Zammit as revealing that these Intel chips come with an embedded subsystem called the Management Engine (ME) that functions as a separate CPU and cannot be disabled, and the code is proprietary.
According to Intel, the ME is in place so enterprise businesses can manage computers remotely via Active Management Technology (AMT). AMT runs completely isolated from any operating system installed on the PC.
It gets creepier.
According to Zammit, the ME:
- has full access to memory (without the parent CPU having any knowledge);
- has full access to the TCP/IP stack;
- can send and receive network packets, even if the OS is protected by a firewall;
- is signed with an RSA 2048 key that cannot be brute-forced; and
- cannot be disabled on newer Intel Core2 CPUs.
Also, he says the health of the ME firmware cannot be audited, and no one outside of Intel has seen the code for the ME.
Talk like this has been going around for a while. Back in 2014, Igor Skochinsky gave a presentation titled Intel ME Secrets. In this presentation, Skochinsky staked the claims:
- the ME is a dedicated microcontroller on all recent Intel platforms;
- the first versions were included in the network card and later moved into the chipset;
- it shares flash with the BIOS but are completely independent of the CPU;
- it can be active when the system is hibernating or even turned off; and
- it has a dedicated connection to the network interface.
The fact that the ME can enable businesses to access computers remotely (for free) is a useful service. But is the ME a one-trick pony? Is that purpose only used by businesses to access a desktop or server remotely?
My concerns about the claims
Although I do not doubt the validity of Skochinsky’s claims, I do question some of the claims that have been inspired by his research, such as Starrynews calling for everyone to immediately stop using Intel motherboards.
One claim that a lot of people are hitching their conspiracy theories on is that the ME allows for access to a computer even when the the computer is powered off. Let’s consider this: Even if the ME firmware would allow someone entry to a machine via an isolated TCP stack, what kind of information could an intruder obtain if that machine is powered down?
Say, for instance, said machine used standard hard drives (not Solid State Drives); how could anyone gain access to a platter-based drive when the drive has no power to spin? And because the ME is hardwired into the firmware, there’s no way to install anything or save instructions. For that reason, gaining entry to a system would only give the intruder access to what has been stored on RAM. But since RAM is volatile memory, chances are, there’ll be nothing there. The biggest concern for this would be linked to a cold-boot attack.
However, the ME contains the AMT instructions, which can function similarly to wake-on-LAN. That means if the right person used the ME to gain access to a machine, they could then take advantage of AMT and boot the machine. Viola! Your PC is now readily available for someone with the requisite skills to pick and choose what they want–this could include company data.
Good ol’ BIOS
AMT is a feature of Intel vPro technology. On supporting chipsets–Intel Centrino with vPro or Intel Core2 with vPro–you can access AMT settings through the BIOS. The caveat is you must know the default password to get into the AMT settings. In most cases, that password will be admin; you’ll have to consult the manufacturer to find out if that is the password. After successfully entering the AMT settings on your BIOS, you can configure AMT to your liking (find out more in this Radmin Knowledge Base piece).
The good news is that you can disable the AMT feature. Here’s how.
- In the PC BIOS, go to Advance Chipset Feature | Intel AMT (Enabled,Disabled)
- During boot, CTRL+P to go to AMT Menu | Intel ME Control State (Enabled,Disabled)
There is no way to know if the ME has the ability to re-enable AMT on its own. Why? Because no one except Intel knows what exactly it contains. So, you could disable ATM on the machine and not know if the ME can circumvent that BIOS setting.
The only secure computer is…
The only truly secure computer is the disconnected one. I have made this claim for years, and I stand by it.
No matter what operating system you are using, and no matter how good your admin skills are, if a computer is connected to the internet, it is not secure. It used to be that you could argue powering down the computer would supercede the need for disconnecting a machine from the internet. Now with the Intel ME on board, I can’t be so sure of that.
Is this a backdoor?
I tend to lean toward the paranoid, though on a professional level, I don’t believe that Intel created the ME with malicious intent. Intel could have created the ME with the NSA in mind, but I don’t necessarily follow that conspiracy. Even so, the question is still very relevant and deserves an answer.
Is the Intel ME a backdoor? Yes, of course it is. By its very definition (from Wikipedia):
A backdoor is a method, often secret, of bypassing normal authentication in a product, computer system, cryptosystem or algorithm etc. Backdoors are often used for securing unauthorized remote access to a computer, or obtaining access to plaintext in cryptographic systems.
Intel’s statement about ME
When asked about the possibility of the ME being a backdoor, Intel CTO Steve Grobman wrote on the Intel Security blog:
“First, we want to be very clear. Intel takes the integrity of its products very seriously. Intel does not put back doors in its products nor do our products give Intel control or access to computing systems without the explicit permission of the end user. In short, Intel does not participate in efforts to decrease security in technology.”
And expanded on the issue with:
“The design of Intel ME incorporates established industry standards and security best-practices, and delivers tremendous advantages to a variety of computing environments. For example, Intel applies what is called the “least privilege” principle, where users and administrators only have the rights to get their job done. We apply this principle into the design of our processors so each component has the minimum – yet sufficient – privileges it needs to perform a given task, mitigating the chances that attackers could use privileges to access areas they shouldn’t.
However, as we are all painfully aware, today’s threat landscape produces countless security challenges every year, targeting systems in a variety of areas. Should an issue arise after a product has shipped, Intel has architected its products with the ability to receive security firmware updates that can counter these issues in the field, allowing for more rapid responses to new exploits and threats.”
Although I am inclined to believe Intel, I know there will be a very vocal group that insists Intel will never refute the claims of a possible back door in the ME until the code can be vetted.
What do you think?
Has Intel created a means for groups like the NSA to gain access to our machines, whether they are on or off? Is this yet another way for hackers to procure our data? Share your thoughts in the discussion.
Subscribe to the Cybersecurity Insider Newsletter
Strengthen your organization's IT security defenses by keeping abreast of the latest cybersecurity news, solutions, and best practices. Delivered Tuesdays and Thursdays